Hello Paolo,

+-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+
| Not exactly, because addr changes on every call to mcf_fec_read_bd.

  True, but the initial address 's->tx_descriptor' and 's->etdsr' could be set 
by user in imx_fec_write(). If bd.flags is set to FEC_BD_W, addr is reset to 
initial s->tx_descriptor value of s->etdsr.

        if ((bd.flags & FEC_BD_W) != 0) {                                       
            addr = s->etdsr;                                                    

| You can add a limit (e.g. 1024 or 2048 descriptors), but the patches are
| incorrect.

  Okay, I'll send a revised patch.

Thank you.
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Reply via email to